Configure Database Owner Account

FineBuild can configure a User Database Owner Account as part of the SQL Server install process.

A SQL Server login is created that should be used as the owner account for User databases.

In the past, it was considered best practice for all databases to be owned by the
sa account. However, if the user database is owned by the sa account and has ownership chaining enabled, then users in the
db_dbowner role in the user database will gain elevated privileges in the system databases. To avoid this, it is now considered best practice for all user databases to be owned by a low privilege account.

Additionally, if a set of user databases have ownership chaining enabled, then they should be owned by a different account to other user databases. This is to prevent users in the chained databases from gaining privileges in the unchained databases.

In order to identify which account should be used as the standard user database owner account, a Credential is created to hold this metadata. The Credential is used in a similar manner to an Endpoint. It allows code elsewhere in SQL FineBuild to find an unknown
value (the DB owner account) by looking at a known value (the Credential) and extracting the account name.

Security Compliance

Database Owner Account configuration helps to reduce the impact of a Raised Priviledge attack. If you setup
Security Compliance then Database Owner Account configuration will always be implemented.

FineBuild Configure Database Owner Account

The Database Owner Account configuration relates to Process Id 5CF. It is controlled by the parameters below:

Parameter

Build

SQL2005

SQL2008

SQL2008 R2

SQL2012

SQL2014

SQL2016

SetupStdAccounts

FULL

Yes

Yes

Yes

Yes

Yes

Yes

SetupStdAccounts

WORKSTATION

Yes

Yes

Yes

Yes

Yes

Yes

SetupStdAccounts

CLIENT

N/A

N/A

N/A

N/A

N/A

N/A

In order to maintain compatibility with older versions of SQL FineBuild, the parameter
ConfigStdAccounts can also be used.

FineBuild also uses the following parameters to help Configure Database Owner Account:

Parameter

Default Value

Description

DBOwnerAccount

DBOwner

Name of DB Owner account

SAPwd

none

Password for sa account

FineBuild will automatically:

Create a Credential for the user database owner account

Create the user database owner account login

Mark the account as Disabled to prevent people logging on with the account

Change the ownership of all user databases that are owned by an account with
Sysadmin rights so they are owned by the user database owner account